Active Directory Integration advise
by Prashant Bapat
Hi All,
I’m to setup FreeIPA in my organization to be the central directory for users/group/SSH keys and maybe sudo rules. All the users and groups are already present in Windows Active Directory.
So far I’ve tried setting up AD Trust but this does not get the users in AD to login to web UI of FreeIPA. I have looked at Passync as well but as per the docs only users will be synced that too only on a password change and groups won’t be.
To give you more details below is my use case.
1. The users and groups are in AD.
2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys.
3. Groups on AD should reflect in FreeIPA.
Appreciate if anyone can point me in the right direction.
Regards.
--Prashant
4 years, 4 months
upgrade freeipa from version 4.1.4 to 4.6.4
by Fritjof Konkas
I have a old version of freeipa server version 4.1.4 running on fedora 22.
Is it possible to migrate the data from ditto to version 4.6.4 on another server running centos 7?
/Fritjof
4 years, 4 months
sudo rule does not work for domain user
by Rob Verduijn
Hello,
I'm trying to figure out why an ad-domain user cannot use sudo.
When I test with
ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i
It says access granted: True
however if I issue the command 'sudo -l -U ansible' on the ipa01 host it
says:User ansible(a)windows.example.com is not allowed to run sudo on ipa01
It works for an ipa user using the same sudo rule.
id ansible works as well on the ipa01 host
uid=1958801104(ansible(a)windows.example.com) gid=1958801104(
ansible(a)windows.example.com)
groups=1958801104(ansible(a)windows.example.com),1958800512(domain
admins(a)windows.example.com),1958800513(domain users(a)windows.example.com)
the user ansible can login to the ipa01 host but cannot issue sudo -i.
What am I missing ?
Rob Verduijn
4 years, 4 months
zabbix for monitoring FreeIPA server?
by Tony Brian Albers
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
/tony
--
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
4 years, 4 months
Statues of the HSM support?
by チョーチュアン
Hi all,
I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm
not sure it's quite supported yet.
`ipa-server-install` aborted everytime during CA configuration, reported
error was "pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
(_ssl.c:1056)"
I wonder if the FreeIPA has some modifications that actually breaks HSM
support?
Environment:
OS: Fedora-30-Cloud-base
freeipa-4.7.90.pre1-4.fc30
opensc-0.19.0-6.fc30
Here's what I've done:
```sudo ipa-server-install -U \
--allow-zone-overlap \
--auto-forwarders \
--no-reverse \
-r DOMAN.TLD \
-a `pass ipa/admin` \
-p `pass ipa/dm` \
--setup-dns \
--ca-subject='CN=CA Subject Name' \
--pki-config-override=/etc/ipa/override.ini```
and in the `/etc/ipa/override.ini`:
```[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219```
don't mind the password, it's the default and testing only.
I have modified the polkit[0] also:
```polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader").startsWith("Nitrokey Nitrokey
HSM") &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});```
`sudo -u pkiuser` gives the right card info.
I have disabled p11-kit-proxy by hand:
``` #cat /etc/crypto-policies/local.d/nss-p11-kit.config
#name=p11-kit-proxy
#library=p11-kit-proxy.so
```
and added nitrohsm for it (maybe not necessary):
```/etc/crypto-policies/local.d/hsm.config
name=nitrohsm
library=opensc-pkcs11.so```
after that, I can successfully add the SmartCard-HSM to
`/etc/pki/pki-tomcat/alias` without a problem.
the original error snippet:
```Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpciwcfccp'] returned
non-zero exit status 1: 'pkihelper : ERROR Server unreachable due to
SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:1056)\nconfiguration : ERROR Server failed to
restart\npkispawn : ERROR Exception: server failed to restart\n
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn\n raise Exception("server failed to restart")\n\n')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.```
[0]: https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com
4 years, 4 months
Certmonger spawns many processes, causing huge load due to swapping
by Jonathan Vaughn
I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long
as I didn't run the Dogtag server on it performance seemed acceptable for
the purpose. These are only being used as local DNS/LDAP/Krb5 replicas,
everything also runs on both physical x86_64 and VM x86_64 servers as well
in more than one location.
However now that I'm trying to set up Pis for actual use (previously had
set up a test environment to validate using them) I'm running into major
performance issues once certmonger starts. Using a systemd timer to delay
start until everything else starts at least lets everything else FreeIPA
related start up and work, but once certmonger starts it still hammers the
system using tons of memory and causing lots of swapping.
Is there any reason for it to spawn so many processes all at once, versus
doing them in a more serial fashion? And did something change in
FreeIPA/certmonger behavior in the last year that would cause such a
performance regression in memory limited scenarios? Previously I just had
zram swap and it was fine, now I have to replace that with actual swap on
storage.
Also, there's currently no certs needing renewal or anything on this
system, so why does it even spawn so many processes ?
root 1699 1 0 03:55 ? 00:00:00 /usr/sbin/certmonger -S -p
/var/run/certmonger.pid -n
root 1720 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1721 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1722 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1723 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1724 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1725 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1726 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1727 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1742 1699 0 03:55 ? 00:00:00
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
root 1759 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1761 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1762 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1763 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1764 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1765 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1767 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1768 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1769 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1770 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1771 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1772 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1773 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1774 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1775 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1776 1699 0 03:57 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
Eventually these complete and things settle down but it takes a very long
time, and without delaying certmonger until after the rest of FreeIPA it
can cause various IPA services to take so long that they die and fail to
start.
4 years, 4 months
secure freeipa exposed to internet
by Stepan Vardanyan
Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us think about security.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.
So, there is several questions:
1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)?
2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)?
3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab
4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision.
P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external hosts
Thanks in advance.
4 years, 4 months
Add SAN to cert (without adding it to the CSR)
by Ian Pilcher
I am trying to create a certificate for an older network printer.
Unfortunately, I cannot just load a certificate and private key of my
own creation. The printer only supports certificates created from a
CSR of its own creation, which does not include the SAN.
Is it possible to make IPA copy the CN into the SAN?
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
4 years, 4 months
DNS problems
by Kristian Petersen
Hey all,
I am using IPA for my DNS and have 3 total servers in the group. 2 of them
are responding to queries just fine, but the 3rd (which is bare metal, not
a VM like the others) is not resolving the queries issued to it. Running
ipactl status returns all services running:
[root@ipa3 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
*named Service: RUNNING *
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
We tried restarting the services but didn't change anything. Next we tries
to do a forced sync of the server with one of its working replicas:
ipa-replica-manage force-sync --from ipa1.example.com
We also tried re-initializing the non-working replica:
ipa-replica-manage re-initialize --from ipa1.example.com
However, it still won't resolve any queries directed to it. Any ideas of
what to try next?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years, 4 months
